Regulatory Exam Preparation: Audit-Ready Strategies

When was the last time your firm underwent an SEC regulatory examination? Chances are it’s been a while.

The exam process may look different this time around. We often talk about the importance of designing an audit-ready compliance program that’s always prepared to respond to regulatory inquiries. But what happens when you actually receive the call from the SEC about a real examination?

If you need a refresher or want to get up-to-date on the latest regulatory approach and expectations, we’ve got you covered.


Regulatory Exams: The 4 Types

Whether you are brand new to the industry or a seasoned shop, it is important to know the types of regulatory exams you might encounter.

1. Welcome

If you have recently registered with the SEC or have never been examined before, you should expect to have your first regulatory exam within 18 months.

Welcome examinations are designed to introduce your firm to the regulators. They’re also an opportunity for you to demonstrate that a culture of compliance is rooted in your firm’s way of operating from the start.


2. For Cause

When the SEC launches an exam for cause, it’s because someone–an investor or employee–has filed a complaint, referral or tipped off the SEC, sparking regulatory scrutiny.

These examinations are typically very specific and take an extensive look at the area of the business and program flagged by the whistleblower.


3. Limited Scope

Limited-scope reviews may be conducted to ensure compliance with a specific topic or issue. They are often driven by new SEC rules or a specific area of risk that regulators are concerned about.

Something like the new marketing rules or anything touched upon in a recent SEC Risk Alert is perfect fodder for a limited-scope exam.


4. Risk-Based or Routine

Don’t assume you’re in the clear if you have not met the criteria for any of the categories above. Risk-based or routine examinations are still conducted on a regular basis. In 2021, the SEC conducted 3,040 examinations, representing a 3% increase over the previous fiscal year.

You can think of risk-based exams like jury duty — if it’s been a while since you’ve been called, your likelihood of hearing from the SEC is higher. Risk-based exams typically happen every three to five years.

To get a better sense of your current audit risk, review the SEC’s latest examination priorities and reflect on the results of your last exam.


Examination Process: Know What’s Coming

Once you understand the types of SEC exams your firm might face, it’s time to prepare to respond. Fortunately, the exam process is similar across all types.

And while the way examinations take place has changed a bit since the pandemic, the opportunity to maintain protocol persists even in a virtual setting. Here’s what to expect:

  1. Notification: The SEC’s initial notification of its intent to examine your firm typically occurs via telephone.
  2. Document Request List: Following that phone call, the SEC will send you a formal email communication, including a document request list. The email will detail due dates for all required information.
  3. Zoom/In-Person Review: This first meeting serves to familiarize the examiners with your business. Up until this point, the regulators have largely based their understanding of your firm on publicly disclosed information. Now, they get to hear directly from you.
  4. Review/Testing: Based upon the pre-audit materials reviewed, the SEC exam team may ask follow-up questions or wish to explore certain areas of the business further.
  5. Exit Interview: Your exit interview will provide a general understanding of any key findings, concerns, or aspects of your program the SEC may follow up on at a later date.
  6. Deficiency Notice/Summary of Findings: At the conclusion of the exam, the SEC will supply your firm with its summary of findings and/or deficiency notice. These summaries are rarely all gold stars and check marks. In many cases, the SEC’s comments are designed to demonstrate how your compliance program can be strengthened.
  7. How to Respond: If you need to respond to the SEC, be mindful in your approach. If you indicate that you will make changes to your operations and/or compliance program because of the SEC’s review, the agency will expect to see evidence of your promised enhancement the next time they check in.


Regulatory Focus: Stay Informed

In recent years the SEC has made great progress in enhancing its communications with the industry. Today, we hear from the agency regularly in the form of:

The SEC takes the time to share these resources because it wants to alert you to new vulnerabilities or highlight areas where other firms are struggling. It is creating these resources in service of building a stronger industry, and it expects firms to do their part and review them! 

If you need any extra incentive to bookmark the SEC’s website, the risks the SEC highlights today are likely the ones you get asked about on your exam tomorrow. It pays to stay on top of the agency’s latest risk alerts and to ensure that your policies and procedures address common deficiencies.


Training Focus: Educate Your Staff

As a CCO, you may know what to expect from a regulatory exam, but what about your portfolio manager who’s just joined the industry?

Compliance is complicated, and no CCO can expect their entire staff to have uniform mastery of your firm’s program or the general steps that go into preparing for an SEC exam.

Take the time to educate your staff about:

  • The exam process
  • The types of questions they may be asked in an exam
  • Your firm’s policies and procedures


SEC Audit Prep: Perform Your Own Fire Drills

Practice makes perfect, so running your own mock exam mini-drills can only aid a firm’s audit readiness and strengthen your compliance program. To get started you might:

  • Review sample document request lists and practice collecting and preparing records for delivery from your systems.
  • Craft your firm’s introductory overview and rehearse it with key personnel.
  • Retain the support of an independent consultant to conduct a mock examination or staff training.

These exercises may offer insight into areas of your program that demand additional attention. Armed with that information, you may choose to redirect budget toward fortifying those weak spots.


Stay in the Know: Join a Compliance Industry Network

The field of compliance has come a long way in the past couple of decades. From networking opportunities to peer-driven resources, it’s easier than ever for compliance professionals to share experiences and work collaboratively to establish industry-wide best practices.

Consider becoming involved in regional roundtable discussions, attending industry conferences, and subscribing to industry and vendor-authored blogs to stay informed on trends and hot topics. You may start with these:


Your Compliance Risk: Mitigated

The bottom line: Be proactive with managing your compliance program because the implications of a wait-and-see approach are far too costly.

To learn more about how the Orion Compliance suite can enable your firm’s audit readiness, request your demo today.